Why a South African “introducing broker” get fined when the trading platform is offshore?
- Marensa Advisory
- Feb 28
- 4 min read
Regulators don’t supervise “platforms in the abstract”. They supervise licensed entities in their jurisdiction, and they expect those entities to prove, with evidence, that controls work in practice.
On 16 February 2026, South Africa’s FSCA imposed an administrative penalty of R710,000 (USD 45,000 approximately) on QuickTrade (Pty) Ltd (FSP 45262) for non-compliance with the Financial Intelligence Centre Act (FICA). Public reporting on the regulator’s findings points to three recurring weaknesses: an RMCP that didn’t sufficiently operationalise risk controls, CDD gaps (including source of funds and ownership/control understanding), and cash reporting failures.
This is also a classic cross-border operating model: QuickTrade (South Africa) describes itself as an introducing broker (IB) to QuickTrade.World, which it states is incorporated in Botswana. (QuickTrade.World)
So why does enforcement land on the local introducer, even when the execution and technology are offshore?
The regulator’s logic is simple: you can outsource tasks, not accountability
Across AML/CFT regimes, the principle is consistent:
You may use third parties to support parts of compliance delivery, but the accountable institution remains liable for meeting legal obligations. (fic.gov.za)
Internationally, FATF standards also anchor this: where a firm relies on third parties for elements of CDD, ultimate responsibility remains with the relying institution. (FATF)
That principle becomes decisive in “local IB + offshore platform” models.
Why did regulators fine the local introducing broker first (even when the platform is offshore)
1) Jurisdiction and enforcement reach
The regulator’s hard power (inspection, production orders, sanctions) applies to the entity it licenses. Offshore entities may sit outside direct reach or require cross-border cooperation. So enforcement starts where action is immediate: the local licence holder.
2) The local IB is the market “gatekeeper”
Even if execution is offshore, the local IB typically influences:
client acquisition and market messaging,
onboarding journeys and client support,
how risk is explained, documented, and evidenced,
and sometimes payment flows / funding guidance.
From an AML viewpoint, the IB often becomes the front door — and the front door is where regulators test control effectiveness.
3) “The platform does KYC” is not evidence
Regulators don’t accept compliance by assertion. They test whether you can produce:
complete onboarding files,
beneficial ownership and control understanding,
source of funds rationale,
EDD decisions and approvals,
monitoring outcomes and escalations,
reporting logs and audit trails.
If the local IB cannot produce those records end-to-end, the regulator treats it as a failed operating model, not merely a “vendor problem”.
4) Outsourcing governance is usually the hidden failure
Where outsourcing is used, supervisors expect governance that is real:
contracts with clear responsibilities and audit rights,
guaranteed data access and portability,
QA, MI, and testing by the local accountable institution,
escalation and remediation mechanics.
South Africa’s FIC guidance is explicit: liability for non-compliance cannot be transferred to a third party. (www2.fsca.co.za)
5) Deterrence: regulators are closing regulatory-arbitrage gaps
If local entities could avoid responsibility by “housing compliance offshore,” enforcement would be toothless. Supervisors use visible action to reinforce a market rule: local licensing means local accountability.
The control test: what regulators actually expect to see
When an onshore IB sits in front of an offshore platform, regulators typically want the local entity to demonstrate three things:
Ownership: clear accountability for AML/CFT outcomes (not just process steps).
Control: the ability to direct, test, and remediate the offshore service.
Proof: evidence packs that are complete, consistent, and retrievable fast.
Visual responsibility matrix: Local IB vs Offshore Platform
Legend:A = Accountable (owns outcome / signs off) | R = Responsible (does the work) | S = Supports (enables) | I = Informed
Control Area | Local Introducing Broker (Licensed / Accountable Institution) | Offshore Platform / Principal | What regulators will test (proof) |
AML governance, RMCP ownership | A/R | S | Board/SM oversight, RMCP fit-to-model, MLRO authority, MI & actions |
Enterprise risk assessment (ML/TF/PF) | A/R | S | Risk methodology, risk appetite, product/channel/geography risk logic |
Client onboarding rules + acceptance policy | A/R | S | “Who we onboard / who we reject” rules, EDD triggers, approvals |
KYC/KYB collection | A | R | Completeness, authenticity checks, audit trails, exception handling |
Verification / screening (sanctions/PEP/adverse media) | A | R | Match handling, escalation notes, false-positive governance |
Beneficial ownership & control understanding | A/R | S | Ownership charts, control rationale, documentation, refresh cadence |
Source of funds / wealth (risk-based) | A/R | S | SoF rationale, evidence, risk alignment, approvals for high risk |
Enhanced Due Diligence (EDD) | A/R | S | EDD decisioning, senior approvals, documented outcomes |
Ongoing monitoring rules + tuning | A/R | S | Monitoring scenarios, calibration, QA results, model governance |
Alert handling / investigations | A/R | S | Case notes, disposition rationale, escalation to MLRO, timelines |
Regulatory reporting (STR/CTR, etc.) | A/R | S/I | Submission logs, completeness, timeliness, retention, governance (fic.gov.za) |
Recordkeeping + retrieval | A/R | S | “Produce in 48 hours” capability, immutable audit trails |
Outsourcing oversight (SLAs, audits, testing) | A/R | S | Audit rights, periodic testing, issue logs, remediation evidence (www2.fsca.co.za) |
Marketing / conduct alignment | A/R | S | No misleading claims, clear role disclosure, aligned client communications |
One sentence that matters: if the local entity is Accountable, it must be able to prove control and evidence, even if the offshore platform is doing the operational steps.
Practical remediation: the “proof pack” local IBs should build
If you operate an IB-to-offshore model, this is the minimum pack we recommend having inspection-ready:
Operating model map: end-to-end client journey with controls at each step (who does what, who approves, where evidence sits).
RMCP aligned to reality: not a template — your exact products, channels, geographies, and escalation rules.
Data access confirmation: contractual + technical proof you can retrieve full onboarding and transaction records on demand.
QA and testing programme: periodic file reviews, monitoring validation, KPI thresholds, and tracked remediation.
Regulatory reporting governance: defined responsibility, sign-off, and retained submission logs. (fic.gov.za)
Marensa Advisory
What we do (and how that helps in models like this):
Operating-model-to-evidence design: we translate complex cross-border setups into regulator-defensible control frameworks (RACI, MI, audit trails, proof packs).
AML/CFT build + remediation: RMCP/AML manual rebuilds, CDD/EDD rulebooks, beneficial ownership playbooks, transaction monitoring governance, and inspection readiness.
Multi-regulator perspective: work aligned to expectations commonly tested across UAE frameworks (incl. DIFC/DFSA context, VARA-facing controls, MoE/FIU inspection posture) and international supervisory approaches shaped by FATF standards. (FATF)
Evidence-first delivery: we prioritise what examiners actually ask for — decision logs, approvals, exception handling, and repeatable control testing.
If your model relies on an offshore platform, make sure your local licence holder can still evidence every control, because regulators will enforce where accountability sits.
Comments